Hi Adrian,
sorry for the delay in answering.
Those fake credentials are sent by the app to avoid some CORS issues while testing the app in a browser. They aren't sent in Mobile apps (Android/iOS), and they probably shouldn't be sent in desktop apps either, but right now they are due to a bug in the app. I opened an issue to fix this:
https://tracker.moodle.org/browse/MOBILE-2587
Kind regards,
Dani